evidence of an information leakage between logically ...dutertre/doc_recherche/p_2015...evidence of...
TRANSCRIPT
Evidence of an information leakage between logically independent blocks HiPEAC 2015
CS2
CEA
-TEC
H/E
MSE
| 1
9/0
1/2
01
5
1 Loic Zussa, Ingrid Exurville Jean-Max Dutertre, Jean-Baptiste Rigaud, Jessy Clediere, Bruno Robisson and Assia Tria
General context An integrated circuit (IC) may contain critical information.
pay TV, bank….
Several attacks do exist to extract these information.
side channel, fault attack, …
Countermeasures (CM) have been designed to secure these ICs against attacks.
redundancy, masking, perturbation sensors, …
This works focus on fault attacks. The studied design is an AES-128, and its secret key constitute the critical information.
CEA
-TEC
H/E
MSE
| 1
9/0
1/2
01
5
2
Cryptographic fault attack
CEA
-TEC
H/E
MSE
| 1
9/0
1/2
01
5
3
AES IC
AES (CM)
CM is “data dependent”
Safe error sensible
CM: Redundancy example:
Plaintext
Ciphertext
Differential Fault Analysis: Correct/uncorrect ciphertext based
+
Cryptographic fault attack
CEA
-TEC
H/E
MSE
| 1
9/0
1/2
01
5
4
AES IC CM is “data independent”
Safe error robust
(in theory)
CM: External sensor example:
Plaintext
Ciphertext
Safe Error: Correct/uncorrect behavior based
Sensor (CM)
Agenda
• Timing constraint violations based fault injection
• Delay based countermeasure
• Evidence of an information leakage between logically
independent blocks
• Experimental results
• Conclusion
CEA
-TEC
H/E
MSE
| 1
9/0
1/2
01
5
5
Agenda
• Timing constraint violations based fault injection
• Delay based countermeasure
• Evidence of an information leakage between logically
independent blocks
• Experimental results
• Conclusion
CEA
-TEC
H/E
MSE
| 1
9/0
1/2
01
5
6
Path lengths of intermediate values depend on the inputs D1, D2, D3.
: timing constraint violation
Clock glitch attack
D Q SubByte D Q
D1
D2 D3
D1
D2
D3
CEA
-TEC
H/E
MSE
| 1
9/0
1/2
01
5
7
Clock glitch attack – Injection bench
Target : AES-128 implemented on a FPGA Spartan 3A.
External Clock
AES-128
Trigger
CEA
-TEC
H/E
MSE
| 1
9/0
1/2
01
5
8
Agenda
• Timing constraint violations based fault injection
• Delay based countermeasure
• Evidence of an information leakage between logically
independent blocks
• Experimental results
• Conclusion
CEA
-TEC
H/E
MSE
| 1
9/0
1/2
01
5
9
Delay based countermeasure Under attacks, the alarm of the countermeasure is triggered before any fault appears into AES calculations.
Critical path for every inputs < CM guarding delay
Data independent (theoretically) Clock period <
CM guarding delay
D1
D2 D3
CEA
-TEC
H/E
MSE
| 1
9/0
1/2
01
5
10
« 1 » is sampled
Delay based countermeasure Under attacks, the alarm of the countermeasure is triggered before any fault appears into AES calculations.
Critical path for every inputs < CM guarding delay
Data independent (theoretically) Clock period <
CM guarding delay
D1
D2 D3
CEA
-TEC
H/E
MSE
| 1
9/0
1/2
01
5
11
« 0 » is sampled
Agenda
• Timing constraint violations based fault injection
• Delay based countermeasure
• Evidence of an information leakage between logically
independent blocks
• Experimental results
• Conclusion
CEA
-TEC
H/E
MSE
| 1
9/0
1/2
01
5
12
Evidence of a practical physical dependencies
Assumptions :
• AES power consummation is data dependent. There are little and located variations in the supply voltage due to AES’ calculations.
• The CM guarding delay depends on the supply voltage.
As a result, may the CM guarding delay threshold has data dependencies ?
Are there leakages of critical information ?
CEA
-TEC
H/E
MSE
| 1
9/0
1/2
01
5
13
CM guarding delay D1
D2
D3
CM guarding delay
CM guarding delay
CM guarding delay variations ?
Evidence of a practical physical dependencies
Measure of the alarm CM sensitivity (fault attack)
Time (in ns)
Tclk = 10 ns
CM guarding delay
Stress = 1 Alarm sensitivity = 0 %
Stress = 2 Alarm sensitivity = 0 %
Stress = 3 Alarm sensitivity = 45 %
Stress = 4 Alarm sensitivity = 100 %
For any input, the value of the CM guarding delay is not supposed to change.
One period of the clock Tclk is decreased step by step until the alarm of the CM detects this modification C
EA-T
ECH
/EM
SE |
19
/01
/20
15
14
Evidence of a practical physical dependencies
Input #120
CEA
-TEC
H/E
MSE
| 1
9/0
1/2
01
5
15
Alarm sensitivity variations
Stress Steps
Input #169
Evidence of a practical physical dependencies
Alarm sensitivity variations
Input #139
CEA
-TEC
H/E
MSE
| 1
9/0
1/2
01
5
16
Alarm sensibility IS data dependent
Are there dependences which enable to retrieve the key?
Input #120
Agenda
• Timing constraint violations based fault injection
• Delay based countermeasure
• Evidence of an information leakage between logically
independent blocks
• Experimental results
• Conclusion
CEA
-TEC
H/E
MSE
| 1
9/0
1/2
01
5
17
Attack on one byte
Clock glitch attack on the 1st AES round CM sensitivity measurements
• 256 different input values (1 byte) were tested
• The detection rate was measured for 15 different stresses
• For every input and stress the experiment has been performed 1000 times
Hypothesis on the secret key
D Q SubByte D Q 256
inputs
256 key hypothesis
256*256 intermediate values (output of the Sboxes)
CEA
-TEC
H/E
MSE
| 1
9/0
1/2
01
5
18
Calculation of the correlation coefficient between the hypotheses of intermediate values for a key value and the countermeasure sensitivity measurements.
Attack on one byte (one stress)
0 255
Key hypothesis
Correlation coefficient
128
Good key hypothesis
256 input values 256 CM sensitivity measurements
256 hypothesis of key byte values 256*256 intermediate values hypothesis
8 selection functions: Value of one bit of the intermediate value (ie. The value at the output of the SubBytes function)
0 1
Slope Correlation coefficient
CM sensibility
Selection function results
CEA
-TEC
H/E
MSE
| 1
9/0
1/2
01
5
19
Experimental results (one byte) 256 messages x 15 stress x 1000 = 3 840 000 measurements
2B
Stress
Pearson Correlation
The behavior of the good key hypothesis differs from the other hypothesis.
CEA
-TEC
H/E
MSE
| 1
9/0
1/2
01
5
20
Experimental results (16 bytes) The same principle is repeated to recover the 16 bytes of the secret key.
Key hypothesis
Pearson Correlation
CEA
-TEC
H/E
MSE
| 1
9/0
1/2
01
5
21
Agenda
• Timing constraint violations based fault injection
• Delay based countermeasure
• Evidence of an information leakage between logically
independent blocks
• Experimental results
• Conclusion
CEA
-TEC
H/E
MSE
| 1
9/0
1/2
01
5
22
Conclusion However small these consumption variations may be, it is could be sufficient to have impact on all the IC blocks, and involve a leak of information to recover secret information. Optimization: Reduce the total number of iteration or the number of detection is possible by choosing the adapted stress. Perspectives: Where do the leakages come from ? From the implementation ? From the chip itself ?
CEA
-TEC
H/E
MSE
| 1
9/0
1/2
01
5
23
Alarm sensibility IS data dependent
And enables an attacker to retrieve the secret key
Thank you for your attention
CEA
-TEC
H/E
MSE
| 1
9/0
1/2
01
5
24
Questions
Loic Zussa, Ingrid Exurville Jean-Max Dutertre, Jean-Baptiste Rigaud, Jessy Clediere, Bruno Robisson and Assia Tria